On Wed, 7 Feb 2018, Dan Fandrich wrote:

If the application/script sets --netrc then an attacker would just need to supply a username and curl would fill in the password, allowing attacks on machines that honoured those credentials (probably only local machines). And if --negotiate or --ntlm are enabled, then the attacker may not even need to supply a username to attack a local machine, as the request could be automatically authenticated as the local user.

Oh yes, excellent thinking. Thanks, I consider that a pretty strong argument for adding an option that switches off this ability.


 / daniel.haxx.se
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Reply via email to